-
Notifications
You must be signed in to change notification settings - Fork 0
/
attack.tex
189 lines (170 loc) · 8.29 KB
/
attack.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
\pdfbookmark[section]{Attack}{Attack}
\section{Attack}\label{sec:attack}
We now describe an attack an adversary can conduct which leverages the
Principal--Agent problem of liquid staking. First, we observe that
fair punishment in the class of protocols we are concerned
about is impossible.
\begin{claim}
Any \emph{fungible} liquid staking protocol with \emph{Proportional Representation}
deployed over any proof-of-stake consensus protocol which slashes equivocating validators by a rate of $p > 0$
cannot have \emph{fair punishment}.
\end{claim}
\noindent
\textbf{Demonstration.}
To see why the above claim holds, consider the following simplistic attack
illustrated in Figure~\ref{fig:simple-timeline}.
Let $b_0$ be the amount of delegated \asset in the protocol's delegation pool,
and $s_0$ be the total amount of \stasset tokens outstanding
before the attack commences. The initial quoted price of \stasset
is $\frac{b_0}{s_0}$.
Initially, the adversary $\mathcal{A}$ creates
a new validator $\mathcal{V}$ under her
control\footnote{To do so, she uses a fresh identity
to suppress potential suspicions. Most validators
have a real-world presence and can be held legally
accountable~\cite[p.~29]{liquid-staking-report}, but this validator is pseudonymous.}.
We do not require any of the existing protocol participants to delegate
to this validator for the attack to work, i.e., we assume, without loss of
generality, that all participants
are wise and all other validators are honest.
At time $t_2$, the adversary deposits $b$ \asset to the protocol,
signalling delegation intent to $\mathcal{V}$.
Due to proportional representation,
the protocol respects this intent and delegates $b$ \asset to $\mathcal{V}$.
The protocol now holds $b$ delegated \asset to $\mathcal{V}$.
Through this deposit, the adversary obtains
$s = \frac{s_0}{b_0} b$ \stasset, and the quoted price remains
$\frac{b_0 + b}{s_0 + s} = \frac{b_0}{s_0}$.
Lastly, at time $t_4 > t_2$, validator
$\mathcal{V}$ equivocates. This causes a proportion $p$ of
the capital $b$ to be slashed.
The rest $(1 - p)b$ \asset is returned back to the protocol.
However the amount of \stasset circulating in the
market remains $s_0 + s = s_0 + b\frac{s_0}{b_0}$.
The new quoted price is now
$\frac{b_0 + (1 - p)b}{s_0 + s} = \frac{b_0}{s_0}(1 - p\frac{b}{b_0 + b}) < \frac{b_0}{s_0}$.
\iflncs
\import{./}{simple-attack-diagram.tex}
\fi
% \begin{align*}
% &\frac{b_0 + (1 - p)b}{s_0 + s}\\
% =&\frac{b_0 + (1 - p)b}{s_0}\frac{1}{1 + \frac{b}{b_0}}\\
% =&\frac{b_0}{s_0}\frac{1 + (1 - p)\frac{b}{b_0}}{1 + \frac{b}{b_0}}\\
% =&\frac{b_0}{s_0}\frac{1 + \frac{b}{b_0} - p\frac{b}{b_0}}{1 + \frac{b}{b_0}}\\
% =&\frac{b_0}{s_0}(1 - p\frac{b}{b_0(1 + \frac{b}{b_0})})\\
% =&\frac{b_0}{s_0}(1 - p\frac{b}{b_0 + b})\\
% \end{align*}
Because \stasset is fungible, \emph{every} stakeholder is negatively affected,
proportionally to their holdings.
The losses are socialized. As everyone else was
wise, this constitutes unfair punishment.
\hfill
$\diamond$
The above attack requires the adversary to expend capital $b$ to cause
harm to others, and is irrational. In the remainder of this section, we
explore how to make this attack profitable. The profitable attack works
for protocols with an \emph{unbonding period} $\delta > 0$. First, we show
how to attack without adversarial losses; later, how to profit.
\noindent
\textbf{Attack with no initial capital.}
With a subtle change to the above construction, the attack can be
performed without the adversary expending any capital (Figure~\ref{fig:free-timeline}).
Before depositing, the
adversary acquires a flash loan of $b$ \asset. At time $t_2$ she deposits \emph{those}
borrowed funds instead of her own.
For now, we assume that the borrowing of money is free
and there is no cost for the flash loan
(we revisit this assumption in
\ifproceedings
the full version of this paper~\cite{liquid-staking-eprint}).
\else
Section~\ref{sec:cost-of-money}).
\fi
During equivocation, the adversary does not want to be holding any
\stasset of her own, as the price of \stasset is about to drop. She also
needs to repay the acquired flash loan.
Therefore, after the adversary obtains $s = \frac{s_0}{b_0} b$ \stasset
from the deposit, she immediately sells\footnote{Instead of \emph{selling}, the
adversary can \emph{redeem}, but this may incur an unbonding delay, which can
be rectified by taking a loan. See
\ifproceedings
the full version of this paper~\cite{liquid-staking-eprint} for more details.
\else
Section~\ref{sec:stasset-price}.
Section~\ref{sec:stasset-price}.
\fi
}
them for $b = \frac{b_0}{s_0} s$ \asset in the open market, at time $t_3$.
She uses the obtained $b$ \asset to
repay the flash loan.
The acts of taking the flash loan,
depositing, swapping, and returning the flash loan,
can all be performed in a single transaction.
\iflncs
\import{./}{free-attack-diagram.tex}
\fi
The adversary has now managed to add $b$ \asset delegated to validator $\mathcal{V}$
in the protocol's delegation pool while not currently holding
any \stasset. The loss has been averted.
At this time, even though the
\stassets have changed hands, the liquid staking protocol cannot redelegate
its \assets instantly due to $\delta > 0$.
The adversary can now equivocate at time $t_4$ and, as before, cause the
price of \stasset to drop.
\ifccs
\import{./}{profitable-attack-diagram.tex}
\fi
\noindent
\textbf{Making the attack profitable.}
The profitable version of the attack (Figure~\ref{fig:profitable-timeline}) works similarly to the above
attack, but with some extra steps. As before, the adversary begins by spawning the
colluding validator $\mathcal{V}$, deposits $b$ \asset, obtained by a flash loan, at time $t_2$,
sells the acquired $s$ \stasset to repay the flash loan at time $t_3$, and equivocates at time $t_4$.
\iflncs
\import{./}{profitable-attack-diagram.tex}
\fi
A small extra trick will allow her to profit.
Before forcing the price of \stasset to drop, at time $t_0 < t_4$
the adversary \emph{shorts}
\stasset: She takes a loan of $z$ \stassets and
sells them for $b^* = z \frac{b_0}{s_0}$ \asset in the market.
% If $z$ approaches $s_0$, the loan market will not be sufficiently deep,
% and the adversary may have to split the attack into multiple iterations.
Lastly, at time $t_5 > t_4$ after the price drop, the adversary closes her short position by repaying $z$
\stasset.
% Once again, we consider that money borrowing is free.
% Hence, the total loan amount to be repaid is $z$ \stasset.
To recover this amount of \stasset, at time $t_5$, the adversary \emph{deposits}
$b' = \frac{b_0}{s_0}(1 - p\frac{b}{b_0 + b}) z$ \asset
into the protocol, which allows her to issue the exact required \stasset
to be paid back. This concludes the attack.
Her total profits from the attack are
$\alpha = b^* - b' = z \frac{b_0}{s_0} p \frac{b}{b_0 + b}$ \asset.
A larger short position $z \frac{b_0}{s_0}$ and a larger
\stasset price drop percentage $p \frac{b}{b_0 + b}$, yields higher profits for the adversary.
So far, we have allowed the adversary to take a loan indiscriminately without
any concern for collateral. In practice, loan platforms
require a collateral, so the attack impact will be limited by the adversary's
initial capital available for collateralization.
Let $u$ \asset be the initial capital of the adversary.
If no overcollateralization is required she can obtain a
loan of up to $z = u \frac{s_0}{b_0}$ \stasset and
then sell them back for $b^* = u$ \asset.
Her profit relative to her initial capital is then
$\alpha = u p \frac{b}{b_0 + b}$ \asset.
%Her total profits from the attack are
%$b^* - b' = \frac{b_0}{s_0}z(1 - (1 - p\frac{b}{b_0 + b}) f)$.
%This will be profitable if $(1 - p\frac{b}{b_0 + b}) f < 1$,
%i.e., the cost factor $f$ of money borrowing (which is always $> 1$) is
%sufficiently cheap that she can make up for it by the price movement
%$1 - p\frac{b}{b_0 + b}$ she has caused.
%
%The duration of the loan was $\Delta_z = t_5 - t_0$, so the
%total loan amount to be repaid, including the principal and interest, is
%$((1 + \rstasset)^{\Delta_z} + \betastasset) z$ \stasset.
%Letting $f = ((1 + \rstasset)^{\Delta_z} + \betastasset)$ be the cost factor
%of the loan, to recover this amount of \stasset, the adversary \emph{deposits}
%$b' = \frac{b_0}{s_0}(1 - p\frac{b}{b_0 + b}) f z$ \asset
%into the protocol, which allows her to issue the exact required \stasset
%to be paid back. This concludes the attack.
%